Transcript Interactive PCP

Probabilistically Checkable
Arguments
Yael Tauman Kalai
Microsoft Research
Ran Raz
Weizmann Institute
Our Results
Main Result:
public-coin IP
one-round
argument
PSPACE = IP = Public-coin IP [LFKN, Shamir,
Goldwasser-Sipser]
Corollary1: PSPACE µ 1-round arguments
Our Results (Cont.)
Main Result:
public-coin IP
one-round
argument
Define: probabilistically checkable arguments (PCAs)
¼ PCPs that are only computationally sound
Main Result with IP[Goldwasser-K-Rothblum08]
Corollary2: Short PCAs of size poly(|witness|)
Interactive Proofs (IP)
[Golwasser-Micali-Rackoff, Babai]
Proofs that use interaction and randomization
• IP=PSPACE [Lund-Fortnow-Karloff-Nissan, Shamir]
# rounds = poly(n)
• Can we reduce the number of rounds?
– O(1)-round IP = 1-round IP
– Believed: 1-round IP does not contain much…
(1-round IP  PSPACE)
Interactive Arguments (IA)
Interactive proofs that are only computationally sound:
Security holds only against comp. bounded cheating provers
Poly-time
verifier
Honest prover’s
runtime T
Soundness against
cheating provers of size 2k
Interactive Arguments (cont.)
IA=NEXP [Kilian,Micali]
# rounds = 2 (4 messages)
What can be proved via 1-round interactive argument?
– [Micali]: In random oracle model
NEXP=1-round IA
– What about in the plain model??
PSPACE µ 1-round IA
Our Result
public-coin: verifier only sends his coin tosses
[Goldwasser-Sipser]: IP = public-coin IP
public-coin IP
PIR
one-round
argument
msgV’
P
V
P’
Independent of
instance
V’
public-coin: verifier only sends his coin tosses
[Goldwasser-Sipser]: IP = public-coin IP
public-coin IP
PIR
one-round
argument
Main Thm:
No blowup if we use
Nofully-homomorphic
blowup if we use IP
encryption
[Gentry09]
of [GKR08]
exponential
hardness
assumptions,
Under
any
public-coin IP can be converted into a oneround argument (blowup in provers run-time)
Previous Attempts
• Fiat-Shamir88:
Use hash-function to convert any public-coin IP into 1-round
argument
• Barak01, Goldwasser-K03:
Exhibit inherent difficulties in proving soundness
• Aiello-Bhatt-Ostrovsky-Rajagopalan00:
Use PIR scheme to convert the two-round Kilian/Micali argument for
NEXP into a (short) one-round argument
• Dwork-Langberg-Naor-Nissim-Reingold04:
Exhibit inherent difficulties in proving soundness
Proof Idea
Public-coin
interactive proof
PIR
1-round
argument
PIR Scheme
[Chor-Goldreich-Kushilevitz-Sudan95, Kushilevitz-Ostrovsky97]
DB
U
x1
x2
query
xi
answer
xN
PIR Scheme
[Chor-Goldreich-Kushilevitz-Sudan95, Kushilevitz-Ostrovsky97]
Secrecy: 8i,j2{1,…,N}
q(i) ¼ q(j)
For distinguishers
of size poly(N)
polylog PIR Scheme [CMS99]:
Communication complexity = poly(k, log N)
User run-time poly(k, log N)
Public-coin
interactive proof
P
V
1-round
argument
P’
r1
V’
q1,…,qt
m1
r2
a1,…,at
m2
rt
mt
• qi=query(r1,…,ri)
• ai=answer(qi,DBi), where the
(r1,…,ri) entry of DBi is mi(r1,…,ri)
Proof Idea
Fix x not in L. Suppose 9 P* of size · 2k s.t.
Pr[(P*,V’)(x)=1] ¸ s+
P
?
x2L
r1
V
P’
?
x2L
V’
q1,…,qt
m1
r2
a1,…,at
m2
• qi=query(r1,…,ri)
rt
mt
• ai=answer(qi,DBi), where the
(r1,…,ri) entry of DBi is mi(r1,…,ri)
Proof Idea
P0
V0
Pi
Vi
r1
q1,…,qi
m1
a1,…,ai
r2
m2
rt
mt
soundness · s against
any cheating prover
{rj}, {mj}, ri+1
Pt
Vt
q1,…,qt
a1,…,at
mi+1
rt
mt
9P* of size 2k s.t.
Pr[(P*,Vt)(x)=1] ¸ s+
Proof Idea (Cont.)
Pi-1
?
x2L
Vi-1
Pi*
?
x2L
q1,…,qi-1
q1,…,qi
a1,…,ai-1
a1,…,ai
{rj}j=1,..,i-1, {mj}j=1,..,i-1,ri
Vi
{rj}j=1,..,i, {mj}j=1,..,i,ri+1
mi
mi+1
rt
rt
mt
mt
soundness · s* against any ¼ |P*i|+2O(cc)
*,V )(x)=1] ¸ s* + /t
Pr[(P
k
i
i
cheating prover of size 2
Use P*i to break PIR in time 2O(k)
Summary
public-coin IP
PIR
one-round
argument
Corollary: PSPACE µ 1-round argument
Open: 1-round argument = NEXP
PSPACE
? ?
Remark: This method does not seem to work when applied
to interactive arguments (rather than proofs)
Interactive proof
[GKR08]
PCA
Thanks !!